getdoorman 1.0.0

package/src/rules/ast-rules.js

@@ -0,0 +1,756 @@
+/**
+ * AST-based security rules (AST-SQL-001 through AST-ERR-002)
+ *
+ * These rules leverage tree-sitter AST analysis for significantly more precise
+ * detection than regex-based rules. They can follow variable indirection, ignore
+ * comments and strings, and reason about scope and control flow.
+ *
+ * Each rule receives a context object with { files, stack, astParse } where
+ * astParse is a function (content, language) => ASTContext | null.
+ */
+
+import { parseFile, detectLanguage, isASTAvailable } from '../ast-scanner.js';
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some((ext) => f.endsWith(ext));
+
+const SKIP_PATH =
+  /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|__snapshots__|node_modules|vendor|dist|build)[/\\]/i;
+
+/**
+ * Helper: run an AST-based check on every applicable file.
+ * Returns findings array.
+ */
+async function forEachAST(files, rule, checkFn) {
+  if (!isASTAvailable()) return [];
+
+  const findings = [];
+
+  for (const [filePath, content] of files) {
+    if (SKIP_PATH.test(filePath)) continue;
+
+    const lang = detectLanguage(filePath);
+    if (!lang) continue;
+
+    const ctx = await parseFile(content, lang);
+    if (!ctx) continue;
+
+    const fileFindings = checkFn(ctx, filePath, content);
+    for (const f of fileFindings) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file: filePath,
+        line: f.line,
+        fix: rule.fix || null,
+        astBased: true,
+      });
+    }
+  }
+
+  return findings;
+}
+
+function makeFinding(ctx, node) {
+  return { line: ctx.nodeLocation(node).line };
+}
+
+// ---------------------------------------------------------------------------
+// Query/DB call helpers
+// ---------------------------------------------------------------------------
+const DB_CALL_NAMES = ['query', 'execute', 'exec', '$queryRaw', '$executeRaw', 'raw'];
+const SECRET_VAR_NAMES = /^(password|secret|apiKey|api_key|token|auth_token|private_key|privateKey|secretKey|secret_key|accessToken|access_token)$/i;
+
+// ---------------------------------------------------------------------------
+// The 20 AST rules
+// ---------------------------------------------------------------------------
+
+const astRules = [
+  // -----------------------------------------------------------------------
+  // AST-SQL-001: SQL injection via string concatenation in db calls
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-SQL-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'firm',
+    title: 'SQL Injection via String Concatenation (AST)',
+    description:
+      'Database query call uses string concatenation with non-literal values. An attacker may inject SQL.',
+    fix: { suggestion: 'Use parameterized queries instead of string concatenation.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx, filePath) => {
+        const results = [];
+        for (const name of DB_CALL_NAMES) {
+          for (const call of ctx.findCalls(name)) {
+            const args = ctx.getArguments(call);
+            if (args.length > 0 && ctx.containsConcatenation(args[0])) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-SQL-002: SQL injection via template literals in query calls
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-SQL-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'firm',
+    title: 'SQL Injection via Template Literal (AST)',
+    description:
+      'Database query call uses a template literal with embedded expressions, allowing SQL injection.',
+    fix: { suggestion: 'Use parameterized queries with placeholders ($1, ?) instead of template literals.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const name of DB_CALL_NAMES) {
+          for (const call of ctx.findCalls(name)) {
+            const args = ctx.getArguments(call);
+            if (args.length > 0 && args[0].type === 'template_string') {
+              // Check that template has substitutions (not a plain string)
+              let hasSubs = false;
+              for (let i = 0; i < args[0].childCount; i++) {
+                if (args[0].child(i).type === 'template_substitution') {
+                  hasSubs = true;
+                  break;
+                }
+              }
+              if (hasSubs) {
+                results.push(makeFinding(ctx, call));
+              }
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-EVAL-001: eval() with non-literal argument
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-EVAL-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'firm',
+    title: 'eval() with Non-Literal Argument (AST)',
+    description:
+      'eval() is called with a non-literal argument, allowing arbitrary code execution.',
+    fix: { suggestion: 'Avoid eval(). Use JSON.parse() for data, or a sandboxed VM for code execution.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const call of ctx.findCalls('eval')) {
+          const args = ctx.getArguments(call);
+          if (args.length > 0 && ctx.isNonLiteral(args[0])) {
+            results.push(makeFinding(ctx, call));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-EVAL-002: Function constructor with non-literal body
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-EVAL-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'firm',
+    title: 'Function Constructor with Non-Literal Body (AST)',
+    description:
+      'new Function() with a non-literal body string is equivalent to eval() and allows code injection.',
+    fix: { suggestion: 'Avoid the Function constructor with dynamic arguments.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        const newExprs = ctx.findNodes('new_expression');
+        for (const node of newExprs) {
+          const constructor = node.childForFieldName('constructor') || node.child(1);
+          if (constructor && constructor.text === 'Function') {
+            // Check if any argument is non-literal
+            const args = ctx.getArguments(node);
+            const hasNonLiteral = args.some((a) => ctx.isNonLiteral(a));
+            if (hasNonLiteral) {
+              results.push(makeFinding(ctx, node));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-EXEC-001: child_process.exec with non-literal command
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-EXEC-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'firm',
+    title: 'Command Injection via child_process.exec (AST)',
+    description:
+      'child_process.exec/execSync is called with a non-literal command string, enabling command injection.',
+    fix: { suggestion: 'Use child_process.execFile or spawn with an argument array instead of exec.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const name of ['exec', 'execSync']) {
+          for (const call of ctx.findCalls(name)) {
+            const args = ctx.getArguments(call);
+            if (args.length > 0 && ctx.isNonLiteral(args[0])) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-XSS-001: res.send() with user input argument
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-XSS-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Reflected XSS via res.send (AST)',
+    description:
+      'res.send() or res.write() is called with user-controlled input (req.query/body/params), enabling reflected XSS.',
+    fix: { suggestion: 'Sanitize or encode user input before sending it in the response.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const name of ['send', 'write', 'end']) {
+          for (const call of ctx.findCalls(name)) {
+            const callee = call.child(0);
+            // Ensure it's res.send, not arbitrary .send
+            if (callee && callee.type === 'member_expression') {
+              const obj = callee.childForFieldName('object');
+              if (obj && (obj.text === 'res' || obj.text === 'response')) {
+                const args = ctx.getArguments(call);
+                if (args.length > 0 && ctx.containsUserInput(args[0])) {
+                  results.push(makeFinding(ctx, call));
+                }
+              }
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-XSS-002: dangerouslySetInnerHTML with non-literal value
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-XSS-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'dangerouslySetInnerHTML with Non-Literal Value (AST)',
+    description:
+      'React dangerouslySetInnerHTML is set with a non-literal value, which may lead to XSS.',
+    fix: { suggestion: 'Sanitize HTML with DOMPurify before using dangerouslySetInnerHTML.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        // Look for JSX attributes named dangerouslySetInnerHTML
+        for (const node of ctx.findNodes('jsx_attribute')) {
+          const name = node.childForFieldName('name') || node.child(0);
+          if (name && name.text === 'dangerouslySetInnerHTML') {
+            // Check if the value contains non-literal content
+            const value = node.childForFieldName('value') || node.child(node.childCount - 1);
+            if (value && ctx.isNonLiteral(value)) {
+              results.push(makeFinding(ctx, node));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-AUTH-001: Express route without auth middleware
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-AUTH-001',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Express Route Without Auth Middleware (AST)',
+    description:
+      'Express route handler has no authentication middleware. Sensitive routes may be publicly accessible.',
+    fix: { suggestion: 'Add authentication middleware (e.g., requireAuth) before the route handler.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        const sensitivePatterns = /\/(admin|user|account|profile|dashboard|api\/v\d+)/;
+        const authMiddlewareNames = /auth|authenticate|requireAuth|isAuthenticated|protect|verify|jwt|token/i;
+
+        for (const method of ['get', 'post', 'put', 'patch', 'delete']) {
+          for (const call of ctx.findCalls(method)) {
+            const callee = call.child(0);
+            // Must be router.get / app.post etc
+            if (!callee || callee.type !== 'member_expression') continue;
+
+            const args = ctx.getArguments(call);
+            if (args.length < 2) continue;
+
+            // First arg should be a route string
+            const routeArg = args[0];
+            if (!ctx.isStringLiteral(routeArg)) continue;
+            if (!sensitivePatterns.test(routeArg.text)) continue;
+
+            // Check if any middle argument (between route and last handler) is auth middleware
+            const middlewareArgs = args.slice(1, -1);
+            const hasAuth = middlewareArgs.some((a) => authMiddlewareNames.test(a.text));
+            if (!hasAuth) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-AUTH-002: Missing rate limiting on auth routes
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-AUTH-002',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Rate Limiting on Auth Route (AST)',
+    description:
+      'Authentication route (login, register, password) has no rate-limiting middleware, enabling brute-force attacks.',
+    fix: { suggestion: 'Add rate-limiting middleware (e.g., express-rate-limit) to authentication endpoints.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        const authRoutes = /\/(login|signin|sign-in|register|signup|sign-up|forgot-password|reset-password|auth)/;
+        const rateLimitNames = /rateLimit|rateLimiter|limiter|throttle|slowDown/i;
+
+        for (const method of ['post', 'get', 'put']) {
+          for (const call of ctx.findCalls(method)) {
+            const callee = call.child(0);
+            if (!callee || callee.type !== 'member_expression') continue;
+
+            const args = ctx.getArguments(call);
+            if (args.length < 2) continue;
+
+            const routeArg = args[0];
+            if (!ctx.isStringLiteral(routeArg)) continue;
+            if (!authRoutes.test(routeArg.text)) continue;
+
+            const middlewareArgs = args.slice(1, -1);
+            const hasRateLimit = middlewareArgs.some((a) => rateLimitNames.test(a.text));
+            if (!hasRateLimit) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-CRYPTO-001: crypto.createCipher (deprecated)
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-CRYPTO-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Deprecated crypto.createCipher Usage (AST)',
+    description:
+      'crypto.createCipher is deprecated and uses a weak key derivation. Use crypto.createCipheriv instead.',
+    fix: { suggestion: 'Replace createCipher with createCipheriv and provide an explicit IV.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const call of ctx.findCalls('createCipher')) {
+          // Confirm it's crypto.createCipher, not createCipheriv
+          const callee = call.child(0);
+          if (callee && callee.text && !callee.text.includes('createCipheriv')) {
+            results.push(makeFinding(ctx, call));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-CRYPTO-002: Math.random() in security context
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-CRYPTO-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Math.random() Used in Security Context (AST)',
+    description:
+      'Math.random() is not cryptographically secure. It should not be used for tokens, passwords, or keys.',
+    fix: { suggestion: 'Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive randomness.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        const securityContext = /token|secret|password|key|salt|nonce|iv|hash|session|csrf|otp|code/i;
+
+        for (const call of ctx.findCalls('Math.random')) {
+          // Check if the result is assigned to or used in a security context
+          const parent = call.parent;
+          if (!parent) {
+            results.push(makeFinding(ctx, call));
+            continue;
+          }
+
+          // Check variable name in assignment
+          if (parent.type === 'variable_declarator') {
+            const name = parent.childForFieldName('name');
+            if (name && securityContext.test(name.text)) {
+              results.push(makeFinding(ctx, call));
+              continue;
+            }
+          }
+
+          // Check enclosing function name
+          const fn = ctx.getParentFunction(call);
+          if (fn) {
+            const fnName = fn.childForFieldName('name');
+            if (fnName && securityContext.test(fnName.text)) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-PATH-001: fs operations with user-controlled path
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-PATH-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Path Traversal via fs Operations (AST)',
+    description:
+      'File system operation (readFile, writeFile) uses a path derived from user input, enabling path traversal.',
+    fix: { suggestion: 'Validate and sanitize file paths. Use path.resolve() and check that the result is within an allowed directory.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        const fsOps = ['readFile', 'readFileSync', 'writeFile', 'writeFileSync',
+          'readdir', 'readdirSync', 'unlink', 'unlinkSync', 'stat', 'statSync',
+          'createReadStream', 'createWriteStream'];
+
+        for (const name of fsOps) {
+          for (const call of ctx.findCalls(name)) {
+            const args = ctx.getArguments(call);
+            if (args.length > 0 && ctx.containsUserInput(args[0])) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-PATH-002: path.join with user-controlled segment
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-PATH-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Path Traversal via path.join (AST)',
+    description:
+      'path.join() includes a user-controlled segment, which may allow directory traversal (../../etc/passwd).',
+    fix: { suggestion: 'Sanitize user input to remove ".." sequences, or validate the resolved path is within an allowed directory.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const name of ['join', 'resolve']) {
+          for (const call of ctx.findCalls(name)) {
+            const callee = call.child(0);
+            if (callee && callee.type === 'member_expression') {
+              const obj = callee.childForFieldName('object');
+              if (!obj || obj.text !== 'path') continue;
+            }
+            const args = ctx.getArguments(call);
+            const hasUserInput = args.some((a) => ctx.containsUserInput(a));
+            if (hasUserInput) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-SSRF-001: HTTP request with user-controlled URL
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-SSRF-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Server-Side Request Forgery (SSRF) (AST)',
+    description:
+      'HTTP request (fetch, axios) uses a URL constructed from user input, enabling SSRF attacks.',
+    fix: { suggestion: 'Validate URLs against an allowlist of domains. Do not allow user input to control the full URL.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const name of ['fetch', 'get', 'post', 'put', 'delete', 'request']) {
+          for (const call of ctx.findCalls(name)) {
+            const callee = call.child(0);
+            // For get/post/put/delete, require axios.get or http.get
+            if (['get', 'post', 'put', 'delete', 'request'].includes(name)) {
+              if (!callee || callee.type !== 'member_expression') continue;
+              const obj = callee.childForFieldName('object');
+              if (!obj) continue;
+              const objName = obj.text;
+              if (!/(axios|http|https|got|superagent|request|fetch)/i.test(objName)) continue;
+            }
+
+            const args = ctx.getArguments(call);
+            if (args.length > 0 && ctx.containsUserInput(args[0])) {
+              results.push(makeFinding(ctx, call));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-PROTO-001: Object.assign with user-controlled source
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-PROTO-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Prototype Pollution via Object.assign (AST)',
+    description:
+      'Object.assign() merges user-controlled input, which may allow __proto__ injection (prototype pollution).',
+    fix: { suggestion: 'Sanitize input to strip __proto__, constructor, and prototype keys, or use a safe merge library.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const call of ctx.findCalls('Object.assign')) {
+          const args = ctx.getArguments(call);
+          // Check sources (all args after the first)
+          for (let i = 1; i < args.length; i++) {
+            if (ctx.containsUserInput(args[i])) {
+              results.push(makeFinding(ctx, call));
+              break;
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-DESER-001: JSON.parse of request body without size check
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-DESER-001',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Unbounded JSON.parse of Request Body (AST)',
+    description:
+      'JSON.parse() is called on user input without prior size validation, which may lead to denial-of-service.',
+    fix: { suggestion: 'Enforce a request body size limit via middleware (e.g., express.json({ limit: "100kb" })).' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const call of ctx.findCalls('JSON.parse')) {
+          const args = ctx.getArguments(call);
+          if (args.length > 0 && ctx.containsUserInput(args[0])) {
+            results.push(makeFinding(ctx, call));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-SECRET-001: Hardcoded string assigned to secret variable
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-SECRET-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Hardcoded Secret in Variable Assignment (AST)',
+    description:
+      'A string literal is assigned to a variable whose name indicates it holds a secret (password, apiKey, token, etc.).',
+    fix: { suggestion: 'Store secrets in environment variables or a secrets manager, not in source code.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const node of ctx.findNodes('variable_declarator')) {
+          const name = node.childForFieldName('name') || node.child(0);
+          const value = node.childForFieldName('value');
+          if (!name || !value) continue;
+
+          if (SECRET_VAR_NAMES.test(name.text) && ctx.isStringLiteral(value)) {
+            // Skip empty strings and placeholder patterns
+            const text = value.text;
+            if (text === '""' || text === "''" || text === '``') continue;
+            if (/process\.env|env\.|config\./i.test(text)) continue;
+            results.push(makeFinding(ctx, node));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-SECRET-002: Hardcoded credentials in object literal
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-SECRET-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'firm',
+    title: 'Hardcoded Credentials in Object Literal (AST)',
+    description:
+      'An object literal has a property named password/secret/apiKey with a hardcoded string value.',
+    fix: { suggestion: 'Use environment variables or a secrets manager instead of hardcoded credentials.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const node of ctx.findNodes('pair')) {
+          const key = node.childForFieldName('key') || node.child(0);
+          const value = node.childForFieldName('value') || node.child(node.childCount - 1);
+          if (!key || !value) continue;
+
+          const keyText = key.text.replace(/['"]/g, '');
+          if (SECRET_VAR_NAMES.test(keyText) && ctx.isStringLiteral(value)) {
+            const text = value.text;
+            if (text === '""' || text === "''" || text === '``') continue;
+            results.push(makeFinding(ctx, node));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-ERR-001: Empty catch block
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-ERR-001',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'firm',
+    title: 'Empty Catch Block (AST)',
+    description:
+      'A catch block is empty, silently swallowing errors. This can hide security-critical failures.',
+    fix: { suggestion: 'Log or handle errors in catch blocks. At minimum, log the error for debugging.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const node of ctx.findNodes('catch_clause')) {
+          const body = node.childForFieldName('body');
+          if (!body) continue;
+          // Count non-whitespace, non-brace children
+          let hasStatements = false;
+          for (let i = 0; i < body.childCount; i++) {
+            const child = body.child(i);
+            if (child.type !== '{' && child.type !== '}' && child.type !== 'comment') {
+              hasStatements = true;
+              break;
+            }
+          }
+          if (!hasStatements) {
+            results.push(makeFinding(ctx, node));
+          }
+        }
+        return results;
+      });
+    },
+  },
+
+  // -----------------------------------------------------------------------
+  // AST-ERR-002: console.log in catch block instead of proper error handling
+  // -----------------------------------------------------------------------
+  {
+    id: 'AST-ERR-002',
+    category: 'security',
+    severity: 'low',
+    confidence: 'likely',
+    title: 'console.log in Catch Block (AST)',
+    description:
+      'A catch block only contains console.log, which may leak sensitive error details in production and is not proper error handling.',
+    fix: { suggestion: 'Use a proper logging framework with log levels, and consider re-throwing or returning an error response.' },
+    check({ files }) {
+      return forEachAST(files, this, (ctx) => {
+        const results = [];
+        for (const node of ctx.findNodes('catch_clause')) {
+          const body = node.childForFieldName('body');
+          if (!body) continue;
+
+          const statements = [];
+          for (let i = 0; i < body.childCount; i++) {
+            const child = body.child(i);
+            if (child.type !== '{' && child.type !== '}' && child.type !== 'comment') {
+              statements.push(child);
+            }
+          }
+
+          // If the only statement is a console.log call
+          if (statements.length === 1) {
+            const stmt = statements[0];
+            const text = stmt.text;
+            if (/console\.(log|warn|info|debug)\s*\(/.test(text)) {
+              results.push(makeFinding(ctx, node));
+            }
+          }
+        }
+        return results;
+      });
+    },
+  },
+];
+
+export default astRules;